In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, "random" nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of the model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions.

We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext attacks" is made small, and the encryption rate is similar to that of triple-DES. We conjecture that the most realistic (or the least unrealistic) attack on all versions of DEAL is an exhaustive search for the keys. We have suggested ANSI to include DEAL in the ANSI standard X9.52. We also suggest DEAL as a candidate for the NIST AES standard. 1 Introduction The DES (or DEA) [14] is a 64-bit block cipher taking a 64-bit key, of which 56 bits are effective. It is an iterated 16-round cipher, where the ciphertext is processed by applying a round function iteratively to the plaintext. The DES has a so-called Feistel structure: in each round one half of the ciphertext is fed through a non-linear f...

We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2 k-message-block message with about k × 2 n/2+1 +2 n−k+1 work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2^60 byte message in about 2^106 work, rather than the previously expected 2^160 work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages–patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.

The standard technique to attack triple encryption is the meet-in-the-middle attack. In this paper, more efficient attacks are presented. Compared to meet-in-the-middle, our attacks either greatly reduce the number of single encryptions to be done, or somewhat reduce the overall number of steps. Especially, about 2 108 steps of computation are sufficient to break three-key triple DES. If one concentrates on the number of single DES operations and assumes the other operations to be much faster, 2 90 of these are enough. We use this to compare the security of triple DES and DESX.

. DEAL is a DES-based block cipher proposed by Knudsen. The block size of DEAL is 128 bits, twice as much as the DES block size. The main result of the current paper is a certicational attack on DEAL192, the DEAL variant with a 192-bit key. The attack allows a trade-o between the number of plaintext/ciphertext pairs and the time for the attacker's computations. Nevertheless, the DEAL design principle seems to be a useful way of doubling the block size of a given block cipher. 1 Introduction The \data encryption standard" (DES) is the world's most well known symmetric cipher. Formally, the standard denes a 64-bit key, but 8 bits are dened as \parity bits" and only 56 bits are actually used as the encryption key, i.e., the DES key size is 56 bits. Brute-force attacks for recovering a key are feasible, today { and considered the only practical way of breaking DES. Thus, while the DES itself cannot be considered secure, it is still attractive to use it as a component for designing ano...

. The DES has reached the end of its lifetime due to its too short key length and block length (56 and 64 bits respectively). As we are awaiting the new AES, triple (and double) encryption are the common solution. However, several authors have shown that these multiple modes are much less secure than anticipated. The general belief is that these schemes should not be used, as they are not resistant against attacks requiring 2 64 chosen plaintexts. This paper extends the analysis by considering some more realistic attack models. It also presents an improved attack on multiple modes that contain an OFB mode and discusses practical solutions that take into account realistic constraints. 1 Introduction Ever since the Data Encryption Standard [?] was adopted in the mid 1970s, the issue of its small key size has been raised. Nowadays a 56-bit key is clearly within the range of a dedicated exhaustive search machine [?,?]. Already in 1979, Tuchman proposed the use of triple-DES with two or ...

Abstract not found

Ding et al [DNRS97] propose a stream generator based on several layers. We present several attacks. First, we observe that the non-surjectivity of a linear combination step allows us to recover half the key with minimal eort. Next, we show that the various bytes are insuciently mixed by these layers, enabling an attack similar to those on two-loop Vigenere ciphers to recover the remainder of the key. Combining these techniques lets us recover the entire TWOPRIME key. We require the generator to produce 2 blocks (2 bytes), or 19 hours worth of output, of which we examine about one million blocks (2 23 bytes); the computational workload can be estimated at 2 operations. Another set of attacks trades o texts for time, reducing the amount of known plaintext needed to just eight blocks (64 bytes), while needing 2 time and 2 space. We also show how to break two variants of TWOPRIME presented in the original paper.

DES and triple-DES are two well-known and popular encryption algorithms, but they both have the same drawback: their block size is limited to 64 bits. While the cryptographic community is working hard to select and evaluate candidates and finalists for the AES (Advanced Encryption Standard) contest launched by NIST in 1997, it might be of interest to propose a secure and simple double block-length encryption algorithm. More than in terms of key length and block size, our Universal Encryption Standard is a new construction that remains totally compliant with DES and triple-DES specifications as well as with AES requirements.

With its 56-bit key size, the data encryption standard (DES) seems to be at end of its useful lifetime. Also, the 64-bit DES block size is dangerously small for some applications. We discuss techniques such as triple DES and DESX to push up the key size, and we present DEAL to increase both block and key size. We propose DEALkx, a new variant of DEAL with an improved key schedule.